Heimdal

Heimdal is an implementation of Kerberos 5 that
aims to be protocol compatible with existing
implementations and RFC 4120. It supports Kerberos
V5 over GSS-API (RFC 1964) and PK-INIT (smartcard
support) for Kerberos, and includes a number of
important and useful applications (rsh, telnet,
popper, etc.). Heimdal also contains an ASN.1
compiler, X.509 library, and NTLM (v1 and v2)
library.

Release Notes: Several bugs in iprop were fixed. Platforms without dlopen are now supported. RFC3526 modp group14 is now included by default. [kdc] database = { } entries are now handled without realm = stanzas. krb5_get_renewed_creds and kaserver preauth were fixed along with other bugs.

Release Notes: A new gss_pseudo_random() function for mechglue and krb5 has been added, and the session key for the krbtgt is now selected by the client's best encryption type. Interoperability with other PK-INIT implementations has improved, and there is inital support for Mac OS X Keychain for hx509, as well as alias support for inital ticket requests. Symbol versioning has been added to selected libraries on platforms that use the GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc. A new version of imath is included in hcrypto. Some memory leaks and other bugs were also fixed.

Release Notes: This release fixes a security problem in rshd that
enabled an attacker
to overwrite and change ownership of any file that
root could write. It
fixes a DOS in telnetd. It makes
gss_acquire_cred(GSS_C_ACCEPT) check
that the requested name exists in the keytab
before returning success.
(This allows servers to check if it's even
possible to use GSSAPI.)
It fixes the receiving end of token delegation for
GSS-API. It still
wrongly uses subkey for sending, for compatibility
reasons. telnetd,
login, and rshd are now more verbose in logging
failed and successful
logins.